President Obama has had to acknowledge two big lies of the Affordable Care Act: (1) You could keep your health insurance plan; and (2) the HealthCare.gov website would be fully operational at launch. Unless he acts with urgency, he will also be forced to apologize for assuring us that personal data received by the Department of Health and Human Services are secure.
In its cynical public relations campaign just before the launch of HealthCare.gov a year ago, HHS came up with a clever way of reassuring Americans that they should not hesitate to hand their sensitive data over to a new bureaucracy in shambles. The prelaunch rhetorical trick was to focus on one small part of HealthCare.gov—what HHS calls the “data hub”—and claim that it does not “retain or store Personally Identifiable Information.”
If you define the “data hub” narrowly—as just those electronic communications between agencies to verify specific data the way that the Social Security Administration verifies Social Security numbers for employers—it is arguably a true statement. However, Congress and the media regularly took that statement to apply to the entire federal exchange (unsuccessfully dubbed a “marketplace”), and HHS did not volunteer that it retains detailed personal information on applicants and callers to its toll-free number—whether or not they buy insurance through the federal exchange. HHS also did not volunteer the fact that it solicits personal data from states that chose not to participate in HealthCare.gov.
HHS established a system for storing Affordable Care Act data long before the launch of HealthCare.gov. In late 2011, HHS awarded a contract to a tiny company called IDL Solutions to provide data storage and analysis of data obtained from the public through the federal exchange. The six-year $59 million contract was huge—and probably overwhelming—for a company with less than $20 million in annual revenue, and, with that windfall in hand, IDL Solutions soon sold itself for “an undisclosed amount” to one of the largest Beltway contractors, CACI.
HHS calls the system that CACI now manages “MIDAS” (Multidimensional Insurance Data Analytics System). A senior CACI executive has publicly described MIDAS “as the central repository for health insurance coverage.”
While HHS has been secretive about MIDAS, this central repository contains more than just the names, addresses, incomes, and Social Security numbers of millions of Americans. It also includes data of great value to cybercriminals, such as telephone numbers and email addresses. Moreover, according to a publicly available draft document of the National Archives and Records Administration, MIDAS includes notes on conversations between teleservice employees and callers to HealthCare.gov’s toll-free number.
At least six subcontractors now help run MIDAS, and one of them, the American Institutes for Research (AIR), recently solicited Affordable Care Act data from states unconnected to HealthCare.gov so that it could
do with those data whatever it is doing with the federal data. AIR’s requested data elements include: name, address, phone number, mailing address, citizenship status, age, gender, race, primary language, and a description of the health plan the person selected. What this solicitation means is that HHS and its contractors collect data on people who never contacted HHS and never gave permission for the federal government to access their data, much less share it widely among contractors and then store it permanently with one or more of those contractors.
Combine a massive amount of data stored in an unaudited contractor’s servers with an insecure website that stores data in other locations and you have a security breach waiting to happen—one that could damage millions of Americans. This summer HHS suffered an embarrassing breach of HealthCare.gov; it was not a sophisticated cyberattack by a foreign government or criminal enterprise—it was apparently garden-variety malicious software roaming the Internet that happened to wander into a haplessly managed peripheral section of HealthCare.gov.
As I and others predicted last year, this part of HealthCare.gov was easily penetrated, and its security systems were so deficient that it took months for HHS to recognize the penetration. The Government Accountability Office reported on September 16 that HHS had not “fully addressed security and privacy management weaknesses, including having incomplete security plans and privacy documentation, conducting incomplete security tests, and not establishing an alternate processing site to avoid major disruptions.” The GAO report also found that HHS had not followed Office of Management and Budget government-wide guidance for assessing the privacy risks of MIDAS.